creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/detecting-privilege-escalation-attempts/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

50 lines
2.0 KiB
Markdown
Raw Blame History

# API Reference: Detecting Privilege Escalation Attempts
## Windows Security Event IDs
| Event ID | Description |
|----------|-------------|
| 4672 | Special privileges assigned to new logon |
| 4673 | A privileged service was called |
| 4674 | Operation attempted on a privileged object |
| 4688 | New process created (token elevation check) |
| 4703 | User right was adjusted |
## Sysmon Event IDs
| Event ID | Description |
|----------|-------------|
| 1 | Process Create with IntegrityLevel field |
| 10 | ProcessAccess (token duplication detection) |
| 13 | RegistryEvent (UAC bypass registry keys) |
## Key Libraries
- **pywin32** (`pip install pywin32`): `win32evtlog.OpenEventLog()`, `ReadEventLog()`, `CloseEventLog()`
- **python-evtx** (`pip install python-evtx`): Parse EVTX files offline with `Evtx.Evtx(path)`
- **re** (stdlib): Pattern matching for UAC bypass indicators in command lines
## UAC Bypass Detection Patterns
| Binary | Registry Key |
|--------|-------------|
| `fodhelper.exe` | `HKCU\Software\Classes\ms-settings\shell\open\command` |
| `eventvwr.exe` | `HKCU\Software\Classes\mscfile\shell\open\command` |
| `sdclt.exe` | `HKCU\Software\Classes\exefile\shell\runas\command` |
| `computerdefaults.exe` | `HKCU\Software\Classes\ms-settings\shell\open\command` |
## Configuration
| Variable | Description |
|----------|-------------|
| `PRIV_ESC_EVENT_IDS` | Map of Security event IDs to descriptions |
| `SUSPICIOUS_PROCESSES` | List of processes to flag when running elevated |
| `UAC_BYPASS_INDICATORS` | Regex patterns for known UAC bypass techniques |
## References
- [MITRE ATT&CK T1548 - Abuse Elevation Control Mechanism](https://attack.mitre.org/techniques/T1548/)
- [MITRE ATT&CK T1134 - Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)
- [Windows Security Auditing](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/)
- [Sysmon Documentation](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
Reference in New Issue View Git Blame Copy Permalink